The alternative is a security quick fix, which often results in the accumulation of technical debt being added at the end of the development process to partly mitigate security flaws. Security flaws that are found late in the SDLC are allowed to stay, since quickly-developed, functional applications are often top priority for the sake of revenue and sales. For the former (personnel) - since testing usually occurs near the end of the SDLC - costs and timelines often do not allow businesses to go back and remediate the developed software. Often times corporations take the approach of simply reacting to security vulnerabilities (as opposed to proactively testing for them) after the application has been developed and flaws have been found - either by personnel, researchers, end-users, or by hackers. Many IT firms do not have a large budget for security, or don’t make it a priority.
DIFFERENCE BETWEEN THE SDL THREAT MODELING TOOL AND TMT SOFTWARE
This results in security flaws in many software applications - flaws that are only identified near the end of the software development lifecycle (usually the testing or release phase), and are very difficult and expensive to remediate. In addition, only 11 percent of developers believe that their organization has a fully-deployed security training program for their personnel. The disconnect between management and the actual developers can be vast when it comes to application security. Because of this, security is often an afterthought during the build process. Traditional SDLC models do not include security testing or secure coding into their methodologies or phases.
Developing software in today's IT corporate landscape is a complex process that can be broken down into several phases.